OpenLDAP > 2.4.11 sshd[3997]: fatal: login_get_lastlog: Cannot find account for uid 2000

[O. Hartmann]

We run a bunch of FreeBSD boxes, some FreeBSD 7.2, others (most) FreeBSD 
8.0-CURRENT (most amd64).

These boxes manage their users via OpenLDAP 2.4.XX. Before we did an 
upgrade to OpenLDAP 2.4.15/16, everything was all right. Now, after 
nearly all of our OpenLDAP servers has been upgraded to 2.4.16, users 
can not log in via ssh onto their hosts for work. Because this is at 
this very moment a very small scientific test facility I circumvent 
problems by having local accounts the traditional way.

When users try to login on a workstation via ssh the connection gets 
closed after they provided their password, sending this error:

sshd[3997]: fatal: login_get_lastlog: Cannot find account for uid 2000 
(or whatever UID is provided)


Sshd on server side is configured to use PAM and both pam_ldap and 
nss_ldap are installed, up to date, recompiled to match OpenLDAP 2.4.16. 
Besides, OpenLDAP 2.4.11/13/14/15.16 uses DB4.7 on our installation.

The funny thing is that this problem occured immediately and 
synchronously on all clients and OpenLDAP servers when moved from 2.4.11 
to 2.4.16/db47. On the other hand, and also very funny and confusing, I 
can enumerate very UID in the home directory, I can su to every user 
managed by LDAP, I can 'su' to users, users are able to authenticate 
themselves when using SAMBA (also OpenLDAP backed) and autheticate 
web-users when accessing restricted pages on our site secured by 
OpenLDAP backed authetication (lighttpd). But no one is capable of log 
in via ssh!

The situation is very frustrating. I do not see anything suspicious when 
tracking OpenLDAP's logs (ACL/stats), nor do I see anythng weird when 
looking at sshd's logs. I need help to track down this problem.

When I search the net for the above mentioned specific error message I 
got a lot of trouble-reports concerning nss_ldap and sshd, but those 
were related to 2003/2005.

Any suggestions?

Thanks in advance,
Oliver